---
title: '组管理'
description: '组织用户和服务器为逻辑组，实现高效的访问控制'
---

## 概述

AIAgentDNS·DNSNode 的组管理系统允许您将用户和服务器组织成逻辑组，从而简化权限管理和访问控制。组提供了一种灵活的方式来管理大规模部署中的资源。

## 创建组

### 通过仪表板

1. **导航到组部分**: 在主仪表板中点击"组"
2. **点击"创建组"**: 开始组创建流程
3. **填写组详细信息**:
   - **组名**: 唯一的组标识符
   - **显示名称**: 用户友好的组名称
   - **描述**: 组的目的和范围
   - **父组**: 可选的层次结构

### 通过 API

```bash
curl -X POST http://localhost:3000/api/groups \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
    "name": "development-team",
    "displayName": "开发团队",
    "description": "前端和后端开发人员",
    "parentGroup": null,
    "settings": {
      "autoAssign": false,
      "maxMembers": 50,
      "requireApproval": true
    }
  }'
```

### 通过配置文件

在 `groups.json` 中定义组：

```json
{
  "groups": {
    "dev-team": {
      "displayName": "开发团队",
      "description": "应用程序开发人员",
      "permissions": {
        "servers": ["read", "write", "execute"],
        "tools": ["read", "execute"],
        "logs": ["read"]
      },
      "members": ["user1", "user2"],
      "servers": ["dev-server-1", "dev-server-2"]
    },
    "qa-team": {
      "displayName": "质量保证团队",
      "description": "测试和质量保证",
      "permissions": {
        "servers": ["read", "execute"],
        "tools": ["read", "execute"],
        "logs": ["read"]
      },
      "members": ["qa1", "qa2"],
      "servers": ["test-server", "staging-server"]
    }
  }
}
```

## 组层次结构

### 嵌套组

创建组层次结构以实现更好的组织：

```json
{
  "groups": {
    "engineering": {
      "displayName": "工程部",
      "description": "所有工程团队",
      "children": ["frontend", "backend", "devops"]
    },
    "frontend": {
      "displayName": "前端团队",
      "parent": "engineering",
      "servers": ["frontend-dev", "frontend-staging"]
    },
    "backend": {
      "displayName": "后端团队",
      "parent": "engineering",
      "servers": ["api-server", "database-server"]
    },
    "devops": {
      "displayName": "运维团队",
      "parent": "engineering",
      "servers": ["monitoring", "deployment"]
    }
  }
}
```

### 继承权限

子组从父组继承权限：

```bash
# 检查继承的权限
curl -X GET http://localhost:3000/api/groups/frontend/permissions?inherited=true \
  -H "Authorization: Bearer $TOKEN"
```

## 用户管理

### 添加用户到组

```bash
# 添加单个用户
curl -X POST http://localhost:3000/api/groups/dev-team/members \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
    "userId": "user123",
    "role": "member"
  }'

# 批量添加用户
curl -X POST http://localhost:3000/api/groups/dev-team/members/bulk \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
    "users": [
      {"userId": "user1", "role": "member"},
      {"userId": "user2", "role": "admin"},
      {"userId": "user3", "role": "member"}
    ]
  }'
```

### 用户角色

每个组内支持不同的用户角色：

- **组管理员**: 完整的组管理权限
- **成员**: 标准组访问权限
- **查看者**: 只读访问权限
- **访客**: 有限的临时访问权限

### 移除用户

```bash
# 从组中移除用户
curl -X DELETE http://localhost:3000/api/groups/dev-team/members/user123 \
  -H "Authorization: Bearer $TOKEN"
```

## 服务器分配

### 分配服务器到组

```bash
# 分配单个服务器
curl -X POST http://localhost:3000/api/groups/dev-team/servers \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
    "serverId": "my-server",
    "permissions": ["read", "write", "execute"]
  }'

# 批量分配服务器
curl -X POST http://localhost:3000/api/groups/dev-team/servers/bulk \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
    "servers": [
      {
        "serverId": "server1",
        "permissions": ["read", "write"]
      },
      {
        "serverId": "server2",
        "permissions": ["read", "execute"]
      }
    ]
  }'
```

### 服务器权限级别

为每个组-服务器对定义细粒度权限：

```json
{
  "serverId": "my-server",
  "permissions": {
    "execute": {
      "allowed": true,
      "tools": ["filesystem", "web-search"],
      "restrictions": {
        "maxRequests": 100,
        "timeWindow": "1h"
      }
    },
    "configure": {
      "allowed": false
    },
    "logs": {
      "allowed": true,
      "level": ["info", "warn", "error"]
    }
  }
}
```

## 权限管理

### 组权限模型

```json
{
  "groupId": "dev-team",
  "permissions": {
    "servers": {
      "create": false,
      "read": true,
      "update": true,
      "delete": false,
      "execute": true
    },
    "tools": {
      "filesystem": {
        "read": true,
        "write": true,
        "paths": ["/app/data", "/tmp"]
      },
      "web-search": {
        "enabled": true,
        "maxQueries": 50
      }
    },
    "monitoring": {
      "viewLogs": true,
      "viewMetrics": true,
      "exportData": false
    },
    "administration": {
      "manageUsers": false,
      "manageServers": true,
      "manageGroups": false
    }
  }
}
```

### 动态权限

基于条件的动态权限：

```json
{
  "permissions": {
    "servers": {
      "execute": {
        "condition": "time.hour >= 9 && time.hour <= 17",
        "message": "服务器执行仅在工作时间内允许"
      }
    },
    "tools": {
      "filesystem": {
        "write": {
          "condition": "user.role === 'admin' || group.name === 'senior-devs'",
          "message": "写入权限需要管理员或高级开发者角色"
        }
      }
    }
  }
}
```

## 配额管理

### 设置组配额

```bash
curl -X PUT http://localhost:3000/api/groups/dev-team/quotas \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
    "requests": {
      "daily": 1000,
      "monthly": 30000
    },
    "storage": {
      "maxSize": "10GB",
      "retention": "30d"
    },
    "compute": {
      "maxConcurrentRequests": 10,
      "maxExecutionTime": "5m"
    }
  }'
```

### 监控配额使用

```bash
# 获取当前配额使用情况
curl -X GET http://localhost:3000/api/groups/dev-team/quotas/usage \
  -H "Authorization: Bearer $TOKEN"
```

响应示例：

```json
{
  "groupId": "dev-team",
  "period": "2024-01-01T00:00:00Z",
  "usage": {
    "requests": {
      "used": 750,
      "limit": 1000,
      "remaining": 250
    },
    "storage": {
      "used": "7.2GB",
      "limit": "10GB",
      "remaining": "2.8GB"
    },
    "compute": {
      "currentConcurrent": 3,
      "maxConcurrent": 10,
      "avgExecutionTime": "2m 15s"
    }
  }
}
```

## 组策略

### 定义组策略

```json
{
  "groupId": "dev-team",
  "policies": {
    "security": {
      "requireMFA": false,
      "sessionTimeout": "8h",
      "ipWhitelist": ["192.168.1.0/24", "10.0.0.0/8"]
    },
    "usage": {
      "allowWeekendAccess": true,
      "restrictHolidays": false,
      "maxSessionDuration": "12h"
    },
    "data": {
      "encryptionRequired": true,
      "dataRetention": "90d",
      "exportAllowed": false
    }
  }
}
```

### 策略继承

```bash
# 应用策略模板
curl -X POST http://localhost:3000/api/groups/dev-team/policies/apply \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
    "template": "development-team-template",
    "overrides": {
      "security.sessionTimeout": "4h"
    }
  }'
```

## 自动化组管理

### 自动用户分配

基于属性自动分配用户：

```json
{
  "autoAssignment": {
    "enabled": true,
    "rules": [
      {
        "condition": "user.department === '开发'",
        "action": {
          "addToGroup": "dev-team",
          "role": "member"
        }
      },
      {
        "condition": "user.title.includes('高级')",
        "action": {
          "addToGroup": "senior-devs",
          "role": "admin"
        }
      }
    ]
  }
}
```

### 定时任务

```bash
# 创建定时清理任务
curl -X POST http://localhost:3000/api/groups/dev-team/jobs \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
    "name": "cleanup-inactive-users",
    "schedule": "0 2 * * *",
    "action": "removeInactiveUsers",
    "params": {
      "inactiveDays": 30
    }
  }'
```

## 组通知

### 配置通知

```json
{
  "groupId": "dev-team",
  "notifications": {
    "channels": {
      "email": {
        "enabled": true,
        "recipients": ["team-lead@company.com"]
      },
      "slack": {
        "enabled": true,
        "webhook": "https://hooks.slack.com/...",
        "channel": "#dev-team"
      }
    },
    "events": ["userJoined", "userLeft", "serverAdded", "quotaExceeded", "securityAlert"]
  }
}
```

### 发送组通知

```bash
curl -X POST http://localhost:3000/api/groups/dev-team/notifications \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
    "type": "announcement",
    "title": "维护通知",
    "message": "服务器将在今晚 10 点进行维护",
    "priority": "high",
    "channels": ["email", "slack"]
  }'
```

## 组分析

### 使用统计

```bash
# 获取组使用统计
curl -X GET http://localhost:3000/api/groups/dev-team/analytics \
  -H "Authorization: Bearer $TOKEN"
```

响应示例：

```json
{
  "groupId": "dev-team",
  "period": "30d",
  "stats": {
    "activeUsers": 12,
    "totalRequests": 15750,
    "avgResponseTime": "250ms",
    "errorRate": "0.5%",
    "mostUsedTools": [
      { "name": "filesystem", "usage": 8500 },
      { "name": "web-search", "usage": 4200 },
      { "name": "database", "usage": 3050 }
    ],
    "peakUsageHours": [9, 10, 14, 15, 16]
  }
}
```

### 生成报告

```bash
# 生成月度报告
curl -X POST http://localhost:3000/api/groups/dev-team/reports \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
    "type": "monthly",
    "format": "pdf",
    "includeDetails": true,
    "recipients": ["manager@company.com"]
  }'
```

## 故障排除

### 常见问题

1. **用户无法访问组资源**

   ```bash
   # 检查用户组成员身份
   curl -X GET http://localhost:3000/api/users/user123/groups \
     -H "Authorization: Bearer $TOKEN"
   ```

2. **权限配置错误**

   ```bash
   # 验证权限设置
   curl -X GET http://localhost:3000/api/groups/dev-team/permissions/validate \
     -H "Authorization: Bearer $TOKEN"
   ```

3. **配额超限**
   ```bash
   # 检查配额状态
   curl -X GET http://localhost:3000/api/groups/dev-team/quotas/status \
     -H "Authorization: Bearer $TOKEN"
   ```

### 调试组权限

启用权限调试：

```bash
# 调试用户权限
curl -X GET http://localhost:3000/api/debug/permissions \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
    "userId": "user123",
    "resource": "server:my-server",
    "action": "execute"
  }'
```

## 最佳实践

1. **组织结构**: 使用层次化组结构镜像您的组织架构
2. **权限最小化**: 只授予执行任务所需的最小权限
3. **定期审核**: 定期审核组成员身份和权限
4. **自动化**: 使用自动化规则减少手动管理开销
5. **监控**: 设置监控和警报以跟踪组活动

有关更多信息，请参阅 [身份认证与安全](/zh/features/authentication) 和 [监控](/zh/features/monitoring) 文档。
